Vehicle security system

ABSTRACT

A security system for a vehicle network of a vehicle is provided. The vehicle network includes a gateway and domain controllers for specific areas of the vehicle. The security system may validate messages sent from the gateway. The security system may also utilize split decryption keys in order to decrypt messages in the vehicle network. The security system may also utilize asymmetrical encryption keys in order to secure data within the vehicle network.

GENERAL DESCRIPTION

The present disclosure relates to a security system for a vehicle. Specifically a system and method for a vehicle that employs a multi-factor authentication method.

A vehicle, such as an automobile, may include systems that are connected to external networks such as the internet or other wireless systems such as a local area network. As more vehicles incorporate features that incorporate these networks, the more vulnerable the vehicles are to security exploitations. It is vital to ensure that modules within the vehicle's network are trusted and communication between the vehicle systems and modules are secure.

Conventionally, vehicle network systems are connected using un-secured connections. Messages received or sent by the vehicle network system may be tampered or modified in a malicious manner. It is an object of the present invention to provide a security system for the vehicle network system of a vehicle in order to protect the vehicle from malicious attacks. The disclosed embodiments provide security to ensure systems and modules of the vehicle network are valid and increases the difficulty associated with hacking vital systems or modules of the vehicle.

BRIEF DESCRIPTION OF THE DRAWINGS

The features, aspects, and advantages of the present disclosure will become apparent from the following description, and the accompanying exemplary embodiments shown in the drawings, which are briefly described below.

FIG. 1 is a schematic view of an exemplary vehicle network system.

FIG. 2 is a schematic view of the exemplary vehicle network system of FIG. 1 with a security system according to a first embodiment.

FIG. 3 is a schematic view of the exemplary vehicle network system of FIG. 1 with a security system according to a second embodiment.

FIG. 4 is a schematic view of the exemplary vehicle network system of FIG. 1 with a security system according to a third embodiment.

FIG. 5 is a schematic view of another exemplary vehicle network system with a security system according to an exemplary embodiment.

DETAILED DESCRIPTION

According to one embodiment of the disclosure, a vehicle includes various systems that include an electronic control unit (ECU). An ECU herein denotes any electronic system or unit within a vehicle with processing capabilities. One of more ECUs may be used to control different vehicle systems of the vehicle such as the vehicle propulsion (e.g., throttle or motor), steering, brakes, HVAC, sensors, radio, doors, engine, airbags, motors, infotainment and many other electronic systems contained in the vehicle. A vehicle network architecture may be divided into domains with a central gateway that bridges and provides connections between domains. A vehicle may include a network system that is used within each domain. The network system may include a domain controller. The domain controller may include a processor and function as an ECU or the domain may include one or more ECUs for carrying out and controlling the required functions of the vehicle systems contained in the domain. Each ECU may be integrated in the domain controller or may be a separate component of the domain.

A central gateway may be connected to a domain controller by Ethernet and/or CAN bus type connections. A message may be transmitted on both Ethernet and CAN bus connections simultaneously. However, the message receiving module would only consider the message to be valid when the messages on both the Ethernet and CAN bus match within a designated period. In order for the security of the network architecture to be compromised, an intruder must break the security on both network connections (Ethernet and CAN bus) and must have the necessary hardware to support both network connections. Thus, the multi-factor authentication (e.g., matching messages on both the Ethernet and CAN bus communications links) provides for improved security for the modules in a vehicle.

According to another embodiment, each of a plurality of network connections (e.g., Ethernet, CAN bus, etc.) may send a portion of an authentication token to the receiving module. The receiving module is configured to require all portions of the authentication token to be received from more than one network connections before validating data or acting on instructions being sent to the receiving module.

In another embodiment, the gateway may send asymmetrical encryption keys to each domain. A CAN-FD connection may be placed between each domain. Data sent between domains on the CAN-FD connection may be used by each domain only when the asymmetrical keys delivered by the gateway is used. Thus, the validation of the data being carried by the CAN-FD bus is provided by the asymmetrical encryption key provided by a separate source (e.g., the central gateway).

FIG. 1 is a simplified diagram or schematic of a vehicle network system 1. The vehicle network system includes a gateway 2 and two domains 10 and 20. Each domain 10/20 includes a domain controller 11/21 and multiple ECUs 12, 13, 14/22, 23, 24. Any number of domains and domain controllers may be disposed in the vehicle network system, only two are shown for this exemplary embodiment. Similarly, only three ECUs are shown, but any number of ECUs may be disposed in the vehicle network 1. A CAN bus 100/200 may be used to connect the gateway 2, corresponding ECUs (12, 13, 14/22, 23, 24) and corresponding domain controllers 11/21 of each domain. The CAN bus may be a CAN-FD (CAN with Flexible Data-Rate), thus allowing higher bandwidth data to be carried by the bus. The gateway 2 acts as a communication bridge between the two buses and domains. The gateway 2 allows message(s) to pass between domains to domain controllers or individual ECUs. The message(s) may be utilized by the module (ECU or domain controller) receiving the message(s). The vehicle network system 1 may also include Ethernet connections 300/400 connecting the gateway 2 to the domain controllers 11/21. An additional CAN bus 500 may be connected between the first domain 10 and the second domain 20 via the respective domain controllers 11, 21.

Each domain may correspond to a group of systems in the vehicle. For example, a first domain 10 may be a powertrain domain for a conventional, electric or hybrid vehicle. The powertrain domain may include all the electronics of the power train (e.g. motor controllers, inverters, hybrid combustion systems, associated ECUs, etc.), and the second domain 20 may be an Advance Driver Assistance Systems (ADAS) domain which includes all electronics of the ADAS (e.g. automotive sensors, ECUs, etc.). Although only two domains are shown, other domains such as the chassis domain and the safety domain may also be connected and communicate with each other using the connection methodology discussed herein. As an example, the ADAS domain 20 may send a message to the power train domain 10 to lower the voltage of the propulsion motors to lower the velocity and/or acceleration of the vehicle due to a vehicle sensor in the ADAS domain sensing that the vehicle is approaching an object or a stop sign. Another application may be utilized in FOTA (Firmware over the air) update of firmware on a safety critical device of the vehicle. For example, Gateway 2 may have a firmware update for safety critical domain controller 11. The firmware update is transmitted in blocks of data over Ethernet 300. For each block of data, a validating code is transmitted over CAN 100 within a window of time. The update is only valid if each data block receives a corresponding validity code. This will add a level of security that will prevent unwanted code from being installed and executed on safety critical devices.

Each domain controller 11/21, each ECU 12, 13, 14 and 22, 22, 23, and the gateway 2 may contain a processor and a memory. The memory is in communication with the corresponding processor, such as in any known wired, wireless, or waveguide manner. The memory comprises a computer-readable storage medium, which can be non-transitory. The storage medium stores a plurality of computer-readable instructions for execution via the processor. The instructions include data that causes the processor to act to facilitate performance of a component of the domain. For example, the instructions may cause the process to act to enable the performance of a method for automated turn signal activation, automated braking, lane keeping, airbag deployment, etc. For example, the instructions may include data required to control an operating system of the vehicle or an application to run on the operating system of the vehicle. For example, the processor and the memory can enable various file or data input/output operations, whether synchronous or asynchronous, including any of the following: reading, writing, editing, modifying, deleting, updating, searching, selecting, merging, sorting, encrypting, de-duplicating, or others.

The memory can comprise at least one of a volatile memory unit, such as random access memory (RAM) unit, or a non-volatile memory unit, such as an electrically addressed memory unit or a mechanically addressed memory unit. For example, the electrically addressed memory comprises a flash memory unit. For example, the mechanically addressed memory unit comprises a hard disk drive. The memory can comprise a storage medium, such as at least one of a data repository, a data mart, or a data store. For example, the storage medium can comprise a database, including distributed, such as a relational database, a non-relational database, an in-memory database, or other suitable databases, which can store data and allow access to such data via a storage controller, whether directly and/or indirectly, whether in a raw state, a formatted state, an organized stated, or any other accessible state. The memory can comprise any type of storage, such as a primary storage, a secondary storage, a tertiary storage, an off-line storage, a volatile storage, a non-volatile storage, a semiconductor storage, a magnetic storage, an optical storage, a flash storage, a hard disk drive storage, a floppy disk drive, a magnetic tape, or other suitable data storage medium.

FIG. 2 shows a first embodiment of a security system for the vehicle network system 1. The gateway 2 may transmit a pair of messages 3 and 3′ that may be sent to the domain controller 11 and at least one ECU 12/13/14 via the CAN bus 100 or the Ethernet connection 300. The domain controller 11 or the at least one ECU 12/13/14 will only accept the messages 3 and 3′ when the corresponding messages match (e.g., contain identical or the same data) within a designated period. The processor of each receiving module (domain controller and/or ECU) will determine if the received messages match. The domain controller 11 may receive both messages 3/3′ in order to compare the messages. If the messages match, then the message 3 (or 3′) will be considered valid by the domain controller 11 or ECUs 12/13/14 via each corresponding processors and may be stored into the memory of the domain controller or ECUs and/or processed and utilized by the processor of the domain controller or ECUs to control elements of the vehicle. The processor of the domain controller will mark the messages as valid and store the message in the memory of the domain controller and utilize the messages in controlling vehicle systems under ECUs 12/13/14. If the messages do not match, then the messages will not be accepted by any receiving module and the message will not be stored or utilized by the domain controller 11. The processor of the domain controller will mark the message as invalid. Marking the message as invalid may cause the message to be deleted. As shown in FIG. 2 , the first domain 10 is receiving the messages 3/3′, however, the exemplary security system may also apply to the second domain 20.

FIG. 3 shows a second embodiment of a security system for the vehicle network system 1. The gateway 2 may transmit a first message 4 comprising a first portion of an authentication key ‘A’ and a second message 4′ comprising a second portion of the authentication key ‘B.’ The first message 4 and the second message 4′ may be sent to the domain controller 21 via the CAN bus 200 and the Ethernet 400 respectively. The first and second portions of the authentication key ‘A’/‘B’ combined create a complete authentication key. The domain controller 21 may only consider any data or instructions contained in messages 4 and 4′ when the domain controller receives a complete authentication key ‘A’ and ‘B’ attached to the corresponding messages.

For example, the first and second portions of the authentication key may be halves of a key to decrypt messages 4 or 4′. The complete key allows the domain controller 20 to decrypt incoming encrypted messages through the Can bus 200 or Ethernet 400 via the processor of the domain controller 20. While only two authentication key portions are shown (‘A’/‘B’) the vehicle network system 1 may include multiple keys portions in any number of connections to the domain controller. As shown, the second domain 20 is receiving the messages 4 and 4′. However, the exemplary security system described may also apply to the first domain 10.

FIG. 4 shows a third embodiment of a security system for the vehicle network system 1. The gateway 2 may transmit an asymmetrical cryptography key 5 to domain controller 11 via the Ethernet connection 300, and an asymmetrical cryptography key 6 to domain controller 21 via the Ethernet connection 400. Messages (e.g. data) 7 may be encrypted using the cryptography key 5 via the processor of the domain controller 11 and sent via on CAN bus 500, and decrypted using the cryptography key 6 via the processor of the domain controller 21. The reverse may also be possible, wherein messages (e.g. data) 7 may be encrypted using the cryptography key 6 via the processor of the domain controller 21, and decrypted using the cryptography key 5 via the processor of the domain controller 11. This encryption method requires two different keys for the messages on the CAN bus to be utilized.

The security system as described above may be employed with any network connections with multiple domains, nodes, zones, or any other separate network areas. FIG. 5 shows a fourth embodiment of a security system for a vehicle network system 1000. The vehicle network system 1000 shows a zoned architecture system. Instead of a master gateway and servant domains as shown in the embodiments above, each vehicle zone are of equal standing in the network. As shown in FIG. 5 , the vehicle network system 1000 may include 4 zones 1010, 1020, 1030, and 1040, each with a corresponding controller 1011, 1021, 1031, and 1041. Each controller includes corresponding ECUs 1011 a-c, 1021 a-c, 1031 a-c, and 1041 a-c each configured to control a corresponding vehicle system. An Ethernet ring comprising Ethernet connections 1100, 1200, 1300, and 1400 is configured to link the four zones and controllers together. Additionally the four zones and controllers may be connected via a common CAN connection network 1050. A security system may be provided similar to the previous described embodiments.

A message may be transmitted via Ethernet connections 1100, 1200, 1300, and 1400 to any of the zone controllers 1011, 1021, 1031, and 1041. The zone controllers 1011, 1021, 1031, and/or 1041 will only accept the messages and when the corresponding messages match (e.g., contain identical or the same data) in both the CAN connection network and Ethernet connection within a designated period. A processor of the corresponding zone controller 1011, 1021, 1031, and 1041 receiving the message will determine if the received messages match. If the messages match, then the message will be considered valid by the receiving controller 1011, 1021, 1031, and/or 1041 via each corresponding processors of the receiving controller and may be stored into the memory of the receiving zone controller 1011, 1021, 1031, and 1041 and/or processed and utilized by the processor of the receiving zone controller. The corresponding processor of the zone controller 1011, 1021, 1031, and 1041 will mark the messages as valid and store the message in the memory of the zone controller and utilize the messages in controlling vehicle systems under ECUs 1011 a-c, 1021 a-c, 1031 a-c, and 1041 a-c. If the messages in the CAN network and Ethernet network do not match, then the messages will not be accepted by any receiving controller and the message will not be stored or utilized by any controller. The processor of corresponding zone controllers 1011, 1021, 1031, and 1041 will mark the message as invalid. Marking the message as invalid may delete the message.

FIG. 5 also illustrates that an ethernet message may take multiple hops through different zones and be validated by a single CAN. For example, when opposing corners of zone controllers (e.g. opposing corners 1031 to 1021 and 1041 to 1011 or vice versa) sends an ethernet message, it needs to be bridged and passed through an intermediate zone controller. Since the CAN is shared equally by all zones, the ethernet transmittal may be validated on this intermediate zone controller despite the ethernet message taking multiple network hops. For example, a message sent from zone controller 1011 to zone controller 1041 may be validated by zone controller 1021 and 1031.

An exemplary vehicle network system may utilize all described embodiments as discussed above. Each embodiment is not limited to the described security system and may utilize security systems described in other embodiments.

As utilized herein, the terms “approximately,” “about,” “substantially”, and similar terms are intended to have a broad meaning in harmony with the common and accepted usage by those of ordinary skill in the art to which the subject matter of this disclosure pertains. It should be understood by those of skill in the art who review this disclosure that these terms are intended to allow a description of certain features described and claimed without restricting the scope of these features to the precise numerical ranges provided. Accordingly, these terms should be interpreted as indicating that insubstantial or inconsequential modifications or alterations of the subject matter described and claimed are considered to be within the scope of the disclosure as recited in the appended claims.

It should be noted that the term “exemplary” as used herein to describe various embodiments is intended to indicate that such embodiments are possible examples, representations, and/or illustrations of possible embodiments (and such term is not intended to connote that such embodiments are necessarily extraordinary or superlative examples).

The terms “coupled,” “connected,” and the like as used herein mean the connection of two members directly or indirectly to one another. Such joining may be stationary (e.g., permanent) or moveable (e.g., removable or releasable). Such joining may be achieved with the two members or the two members and any additional intermediate members being integrally formed as a single unitary body with one another or with the two members or the two members and any additional intermediate members being attached to one another.

It is important to note that the construction and arrangement of the vehicle network security system as shown in the various exemplary embodiments is illustrative only. Although only a few embodiments have been described in detail in this disclosure, those skilled in the art who review this disclosure will readily appreciate that many modifications are possible (e.g., variations in sizes, dimensions, structures, shapes and proportions of the various elements, values of parameters, mounting arrangements, use of materials, colors, orientations, etc.) without materially departing from the novel teachings and advantages of the subject matter described herein. For example, elements shown as integrally formed may be constructed of multiple parts or elements, the position of elements may be reversed or otherwise varied, and the nature or number of discrete elements or positions may be altered or varied. The order or sequence of any process or method steps may be varied or re-sequenced according to alternative embodiments. Other substitutions, modifications, changes and omissions may also be made in the design, operating conditions and arrangement of the various exemplary embodiments without departing from the scope of the present disclosure. 

What is claimed is:
 1. A security system for a vehicle network, the security system comprising: a gateway connected to a first domain through an Ethernet connection and a CAN bus, the first domain including a first domain controller that is connected to the Ethernet connection and the CAN bus, wherein the first domain controller is configured to: receive, from the gateway, a first message and a second message; compare the first message and the second message via a processor of the first domain controller; and process, via the processor, the first message or the second message to control elements of the vehicle network when the first message and the second message are marked as valid by the first domain controller, via the processor, only when the first message and the second message match and are received from the gateway within a designated period.
 2. The security system of claim 1, wherein the first message and the second message are marked as invalid by the first domain controller when the first message and the second message do not match.
 3. The security system of claim 1, wherein the first message is sent via the CAN bus.
 4. The security system of claim 3, wherein the second message is sent via the Ethernet connection.
 5. The security system of claim 4, wherein the at least one electronic control unit is directly connected to the first domain controller and the gateway via the CAN bus.
 6. The security system of claim 5, further comprising a second domain including a second domain controller, wherein the first domain controller is directly connected to the second domain controller via an auxiliary CAN bus.
 7. The security system of claim 1, wherein the CAN bus is a CAN-FD.
 8. A security system for a vehicle network, the security system comprising: a gateway connected to a first domain through an Ethernet connection and a CAN bus, wherein the first domain includes a first domain controller that is connected to the Ethernet connection and the CAN bus, wherein the first domain controller is configured to: receive, via the CAN bus, from the gateway, a first message and a first portion of an authentication key attached to said first message; receive, via the Ethernet connection, from the gateway, a second message and a second portion of the authentication key attached to said second message; and decrypt the first message and the second message, via a processor, only when the first domain controller receives the first and second portions of the authentication key.
 9. The security system of claim 8, wherein the first and second portions of the authentication key combine into a complete authentication key.
 10. The security system of claim 8, wherein first domain includes at least one electronic control unit directly connected to the first domain controller and the gateway via the CAN bus.
 11. The security system of claim 8, wherein the CAN bus is a CAN-FD.
 12. The security system of claim 8, further comprising a second domain including a second domain controller, wherein the first domain controller is directly connected to the second domain controller via an auxiliary CAN bus.
 13. A security system for a vehicle network, the security system comprising: a gateway connected to a first and second domain through a first Ethernet connection and a second Ethernet connection respectively; the first domain includes a first domain controller and at least one electronic control unit; the second domain includes a second domain controller and at least one additional electronic control unit; an auxiliary CAN bus directly connecting the first and second domain controller; the first Ethernet connection is connected to the first domain controller and the second Ethernet connection is connected to the second domain controller; wherein the gateway is configured to send a first asymmetrical cryptography key to a first domain controller and a first asymmetrical cryptography key to a second domain controller; and wherein data on the auxiliary CAN bus is encrypted with one of the first and second asymmetrical cryptography key and decrypted with the other of the first and second asymmetrical cryptography key, via corresponding processors of the first and second domain controllers.
 14. The security system of claim 13, further comprising a first CAN bus directly connecting the gateway to the first domain controller, and a second CAN bus directly connecting the gateway to the second domain controller.
 15. The security system of claim 13, wherein the at least one electronic control unit is directly connected to the first domain controller and the gateway via the first CAN bus and the at least one additional electronic control unit is directly connected to the second domain controller and the gateway via the second CAN bus.
 16. The security system of claim 14, wherein the first CAN bus, second CAN bus and auxiliary CAN bus are CAN-FD connections.
 17. The security system of claim 13, wherein the first domain controller is configured to receive a third and fourth message from the gateway, wherein the first domain controller is configured to compare the third and fourth message via a processor of the first domain controller; and wherein the third and fourth message is marked as valid by the first domain controller, via the processor, only when the third and fourth message match.
 18. The security system of claim 13, wherein the first domain controller is configured to receive a fifth message and a first portion of an authentication key attached to said fifth message; the first domain controller is configured to receive a sixth message and a second portion of the authentication key attached to said sixth message; and wherein the first domain controller is configured to decrypt the fifth and sixth messages, via the processor of the first domain controller, only when the first domain controller receives the first and second portions of the authentication key. 